Author and leading security expert Bruce Schneier digs into the topics of the current state of cryptography and whether or not companies should care about the U.S. government's release of portions of the CNCI.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.

Mike Mimoso: The first question, at the Cryptographer's Panel yesterday, the panel talked about the potential demise of a couple of algorithms, particularly AES 128 and RSA 1024. They talked about this happening, potentially within the next decade. Do you think this is inevitable, or was it something that you never thought you would see?

Bruce Schneier: There is a fundamental rule of crypt analysis, that it always gets better, it never gets worse. Every year there are advances in techniques and we learn how to make things better. Some things like RSA, you are going to have advances just due to Moore's Law, like factoring gets faster, in addition to advances in how we factor. We knew that 1,000 bit keys were doomed when we created them. Exactly when, we do not know, but it is pretty much right on schedule. I think anybody who is using a 1,000 bit keys today is long overdue for updating. Something like AES was a little harder to forecast to foresee. There were a lot of us during the AES competition that did not really like Ringdahl because it was so simple, because it was playing so close to the edge. We are looking at 128 go down sooner than we expected, but there are people who did not trust Ringdahl, which became RSA, because of that. The timing is always a surprise, but we know this was going to happen sooner or later.

Mike Mimoso: When something like this happens, are you sad to see these algorithms go? Do you feel a close connection to them?

Bruce Schneier: I think more exciting are the new techniques we learn that cause the algorithms to fall. Every time an algorithm breaks, we learn more how to make something secure. Every crypt analysis paper is also design information. Yes, it is sad to see things go, but it is great to see what we learn when they go.

Mike Mimoso: You answered the question the little bit, but can you talk about the state of cryptography today? Is it any better today than it was, maybe, a decade ago?

Bruce Schneier: Cryptography is the same it was a decade ago. It turns out that the fundamental problems in cryptography are not really about cryptography. We built all the cryptography needed in the '80s, to do the things we need to do today. Many algorithms are different, maybe some of the computations are different, but the basic ideas are all the same. The real hard problems are in using cryptography, embedding it in software, remembering and moving secrets around, installing it, updating it; that is the real hard stuff. The cryptography things we got pretty licked. You go to the show floor at RSA, the cool companies are not doing cryptography, they might be using cryptography in some cool way, but the stuff they are using is decades old.

Mike Mimoso: What do you make of the government's decision to declassify portions of the CNCI?

Bruce Schneier: It was interesting to see. It is really a summary; there is not a lot of details. In all of these matters, the devil is in the details. I like the fact that they declassified what they did, I think it is interesting reading, but I do not think we learned a lot. What is missing is more important than what is there.

Mike Mimoso: CNCI has always been this mysterious document. Do you think it is really worth the time in the general business population to worry about this?

Bruce Schneier: I doubt it, it is a policy document. We do not know what is implemented, we do not know the time from it, a lot of things we do not know, but in some ways it is like alien technology. We know so little about what goes on, that any little data we get we study minutely because it is all we have, and we try to learn from it. My guess is there is less there than we want.

Mike Mimoso: I do not think we have spoken since Howard Schmidt was appointed Cyber Security Coordinator. I do not know if you know Howard very well, but do you think he is the right type of person, that blend of part politician, part technologist?

Bruce Schneier: Cyber Security Coordinator, or Czars, is a really hard job without budgetary authority, there is not a lot you can do, and Howard Schmidt is one of the few people who actually might be effective in that role. I do not think it is easy, but he definitely has the political skills and the technical chops, so he has got a shot, and I wish him well. People can do big jobs, but they need resources behind them. The problem with cyber securities are that it does not have the resources behind it. All you can do is control, all you can do is cheerlead, all you can do is suggest, you cannot mandate. If you cannot mandate, you cannot get stuff done. You got to be politically savvy, technically savvy, you got to keep quiet, so it is a hard job. He is a good choice, and I wish him well, but he has got a tough row to hoe.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy